{
  "id": "security/insecure-direct-object-reference-in-api",
  "signature": "Insecure Direct Object Reference (IDOR) allows access to another user's data via predictable IDs",
  "signature_zh": "不安全的直接对象引用 (IDOR) 允许通过可预测的 ID 访问其他用户的数据",
  "regex": "GET /api/(user|order|account)/\\d+|IDOR|insecure direct object reference",
  "domain": "security",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The API exposes internal object IDs (e.g., user ID, order number) in URLs or request bodies without verifying that the authenticated user owns the resource, allowing unauthorized access to other users' data.",
  "root_cause_type": "generic",
  "root_cause_zh": "API 在 URL 或请求体中暴露内部对象 ID（例如用户 ID、订单号），而未验证经过身份验证的用户是否拥有该资源，从而允许未经授权访问其他用户的数据。",
  "versions": [
    {
      "version": "REST API",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "GraphQL",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Spring Boot 3.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Obfuscate object IDs by using hashes (e.g., MD5) instead of sequential numbers",
      "why_fails": "Obfuscation is not authorization; if the hash is leaked or guessed (e.g., via enumeration), access is still granted. Authorization checks are required.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use UUIDs instead of integers for IDs",
      "why_fails": "UUIDs make guessing harder but do not prevent access if a user obtains another user's UUID (e.g., via shared links or logs). Authorization is still missing.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express:\napp.get('/api/order/:id', async (req, res) => {\n    const order = await Order.findById(req.params.id);\n    if (!order || order.userId !== req.user.id) {\n        return res.status(403).json({ error: 'Forbidden' });\n    }\n    res.json(order);\n});",
      "success_rate": 0.9,
      "how": "Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express:\napp.get('/api/order/:id', async (req, res) => {\n    const order = await Order.findById(req.params.id);\n    if (!order || order.userId !== req.user.id) {\n        return res.status(403).json({ error: 'Forbidden' });\n    }\n    res.json(order);\n});",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own.",
      "success_rate": 0.85,
      "how": "Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request.",
      "success_rate": 0.88,
      "how": "Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express:\napp.get('/api/order/:id', async (req, res) => {\n    const order = await Order.findById(req.params.id);\n    if (!order || order.userId !== req.user.id) {\n        return res.status(403).json({ error: 'Forbidden' });\n    }\n    res.json(order);\n});",
    "Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own.",
    "Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://owasp.org/www-community/attacks/Insecure_Direct_Object_Reference",
  "official_doc_section": null,
  "error_code": "AUTH_IDOR_006",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.88,
  "resolvable": "true",
  "first_seen": "2023-12-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}